Options Cybersecurity Series: A Password Policy For Hedge Funds

Options Cybersecurity Series: A Password Policy For Hedge Funds

Agreeing an appropriate password policy is one of the most basic security steps when delivering hedge fund IT.

In practice we encounter all sorts; ranging from VIPs who either don’t want a password at all (or just want to use their username) and demand non-expiring passwords because they don’t want to change them (even though they have the most to lose!), to quant traders who demand complex strings of twenty letters, numbers and characters, randomly generated and changed weekly. You really see it all in this business.

To cut through hours of debate each time we setup a new customer, we now recommend the following as standard when it comes to passwords:

– The password should be technically enforced.

– It should be at least eight characters.

– It should be different for their associated username.

– Contain characters with at least three of the following:

numbers.

upper case letters.

lower case letters.

special characters (e.g. $&^).

– The user should be forced to change it on first login.

– They should also be forced to change it after 60 days.

– They can not repeat any of the previous 12 passwords.

Simple as that.

The practical issue with passwords (as illustrated again and again across the industry by pen-testers) is that the more often a user is forced to change their password the more likely it is to be written on a post-it or sheet of paper on their desk, so there has to be a trade-off.

The advice is always to never write down passwords and use patterns on a theme but in practice, and given traders by nature don’t always take advice (they are risk takers after all), our recommendation is that firms insist their staff leverage LastPass (https://lastpass.com) or a similar package that allows simple management of random passwords.

A final issue for platform providers or internal IT departments is what happens on failed logons, generally we suggest a policy where the account is locked out for a period and a tech contact is notified automatically on five failed attempts. Passwords should also be changed immediately when staff move on.